3.8-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Wed, 10 Apr 2013 22:27:07 +0000 (15:27 -0700)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Wed, 10 Apr 2013 22:27:07 +0000 (15:27 -0700)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 10 Apr 2013 22:27:07 +0000 (15:27 -0700)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 10 Apr 2013 22:27:07 +0000 (15:27 -0700)
diff --git a/queue-3.8/series b/queue-3.8/series

index 5541e0b28616038a9b2558496c14d529246feaaf..619eb4f721e3d38819d28d86c4f96716748642b5 100644 (file)
--- a/queue-3.8/series
+++ b/queue-3.8/series
@@ -57,3 +57,4 @@ drm-i915-add-quirk-to-invert-brightness-on-emachines-g725.patch
  drm-i915-add-quirk-to-invert-brightness-on-emachines-e725.patch
  drm-i915-add-quirk-to-invert-brightness-on-packard-bell-ncl20.patch
  r8169-fix-auto-speed-down-issue.patch
+vfio-pci-fix-possible-integer-overflow.patch
diff --git a/queue-3.8/vfio-pci-fix-possible-integer-overflow.patch b/queue-3.8/vfio-pci-fix-possible-integer-overflow.patch

new file mode 100644 (file)

index 0000000..dcc2177
--- /dev/null
+++ b/queue-3.8/vfio-pci-fix-possible-integer-overflow.patch
@@ -0,0 +1,42 @@
+From 904c680c7bf016a8619a045850937427f8d7368c Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Tue, 26 Mar 2013 11:33:16 -0600
+Subject: vfio-pci: Fix possible integer overflow
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 904c680c7bf016a8619a045850937427f8d7368c upstream.
+
+The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
+of which are unsigned.  We attempt to bounds check these, but fail to
+account for the case where start is a very large number, allowing
+start + count to wrap back into the valid range.  Bounds check both
+start and start + count.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vfio/pci/vfio_pci.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/vfio/pci/vfio_pci.c
++++ b/drivers/vfio/pci/vfio_pci.c
+@@ -331,6 +331,7 @@ static long vfio_pci_ioctl(void *device_
+ 
+               if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) {
+                       size_t size;
++                      int max = vfio_pci_get_irq_count(vdev, hdr.index);
+ 
+                       if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL)
+                               size = sizeof(uint8_t);
+@@ -340,7 +341,7 @@ static long vfio_pci_ioctl(void *device_
+                               return -EINVAL;
+ 
+                       if (hdr.argsz - minsz < hdr.count * size ||
+-                          hdr.count > vfio_pci_get_irq_count(vdev, hdr.index))
++                          hdr.start >= max || hdr.start + hdr.count > max)
+                               return -EINVAL;
+ 
+                       data = memdup_user((void __user *)(arg + minsz),
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 10 Apr 2013 22:27:07 +0000 (15:27 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 10 Apr 2013 22:27:07 +0000 (15:27 -0700)
queue-3.8/series		patch \| blob \| blame \| history
queue-3.8/vfio-pci-fix-possible-integer-overflow.patch	[new file with mode: 0644]	patch \| blob